MiniDuke miscreants whip out old-school tricks to spy on world+dog

A new strain of malware designed to spy on multiple government entities and institutions across the world has been discovered by anti-virus firm Kaspersky Lab.

MiniDuke has infected government entities in the Ukraine, Belgium, Portugal, Romania, the Czech Republic and Ireland. In addition, a research institute, two think-tanks, and a healthcare provider in the US were also compromised. A prominent research organisation in Hungary was also infected with the mystery malware. An analysis of logs from command servers, suggest the malware has hit 59 unique victims in 23 countries including locations as diverse as Brazil, Israel, Germany, Lebanon, Spain, the UK and Japan.

Attacks designed to spread the malware made use of the recently discovered PDF exploit in Adobe Reader (CVE-2013-6040) to distribute MiniDuke over the past week or so, according to Kaspersky Lab researchers.

Security experts at the Russian security firm reckon MiniDuke features hallmark techniques more associated with really old-school VXers, not least because it features a backdoor written in Assembler language.

“This is a very unusual cyberattack,” said Eugene Kaspersky, founder and chief exec of Kaspersky Lab. “I remember this style of malicious programming from the end of the 1990s and the beginning of the 2000s. I wonder if these types of malware writers, who have been in hibernation for more than a decade, have suddenly awoken and joined the sophisticated group of threat actors active in the cyberworld."

"These elite, 'old-school' malware writers were extremely effective in the past at creating highly complex viruses, and are now combining these skills with the newly advanced sandbox-evading exploits to target government entities or research institutions in several countries.

“MiniDuke’s highly customised backdoor was written in Assembler and is very small in size, being only 20KB. The combination of experienced old school malware writers using newly discovered exploits and clever social engineering to compromise high profile targets is extremely dangerous,” he added.

Booby-trapped documents that formed the theme of the attack featured fabricated human rights seminar information (ASEM) and Ukraine’s foreign policy and NATO membership plans. These malicious PDF files were rigged with exploits attacking Adobe Reader versions 9, 10, and 11, bypassing Adobe's sandbox in the process. The toolkit used to create these exploits were the same as those that featured in a recent attack reported by FireEye, even though these latter assaults featured a different attack payload.

The theme of the emails, and local geo-political factors, such as Russian resistance to Ukraine's proposed membership of NATO, along with use of old school techniques make it much more likely that the malware was brewed up in Russia rather than China, in the opinion of El Reg's security desk, at least.

The attackers left a small clue in the code, in the form of the number 666 (0x29A hex) before one of the decryption subroutines, indicating an interest in either the Book of Revelations or the works of Iron Maiden.

“MiniDuke is using the same but slightly modified PDF exploit which was involved in the recent attack reported by FireEye," Vitaly Kamluk, chief malware expert at Kaspersky Lab told El Reg. "However, it is not related to any known platforms used in cyber-espionage campaigns (such as 'Tilded' platform in case of Stuxnet and Duqu or Flame platform).

"Some of the elements remind us of cyber-espionage tools such as Duqu or Red October, such as the minimalistic approach, hacked servers, encrypted channels and also the typology of the victims. The amount of high profile victims in this attack is also notable and puts it on the same level with other advanced campaigns such as Red October."

All this and Twitter functionality, too

Kaspersky Lab’s experts, in partnership with CrySys Lab, have analysed the attacks and published preliminary findings suggesting whoever created the malware was skilled and well-aware of the techniques used by anti-virus analysts. For one thing, the malware programmed to avoid analysis by a hardcoded set of tools in certain environments like VMware by laying dormant if it finds itself running in a virtualised environment.

If the target’s system meets the pre-defined requirements, the malware will use surreptitiously use Twitter to start looking for specific tweets from pre-made accounts, providing the encrypted locations of URLs associated with the spyware botnet's command and control channels. The same functionality allows to loading of additional backdoors onto compromised systems.

MiniDuke’s creators also provided a dynamic backup system. If Twitter isn’t working or the accounts are down, the malware can use Google Search to find the encrypted strings to the next command and control node.

Once an infected system locates the C&C nodes, it receives encrypted backdoors that are obfuscated within GIF files and disguised as pictures that appear on a victim’s machine. Once they are downloaded to the machine they can download a larger backdoor that carries out several basic actions, such as copy file, move file, remove file, make directory, kill process, and, of course, download and execute new malware.

The malware backdoor connects to two servers, one in Panama and one in Turkey, to receive instructions from the attackers, according to a joint analysis of the malware by Kaspersky Lab and Hungarian security researchers at the Laboratory of Cryptography and System Security (CrySyS), who previously worked with their Russian counterparts in analysing Flame, another cyber-espionage tool.

CrySyS's take on MiniDuke is here. Kaspersky's preliminary analysis - including screenshots of Twitter message and GIF files associated with the attack - can be found in screenshots on its official Securelist blog here. ®